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ABSTRACT 

A key problem in verification of multi-agent systems by model 
checking concerns the fact that the state-space of the system 
grows exponentially with the number of agents present. This 
makes practical model checking unfeasible whenever the 
system contains more than a few agents. In this paper we 
put forward a technique to establish a cutoff result, thereby 
showing that all systems of arbitrary number of agents can 
be verified by model checking a single system containing a 
number of agents equal to the cutoff of the system. While 
this problem is undecidable in general, we here define a class 
of parameterised interpreted systems and a parameterised 
temporal-epistemic logic for which the result can be shown. 
We exemplify the theoretical results on a robotic example and 
present an implementation of the technique on top of mcmas, 
an open-source model checker for multi-agent systems. 

Categories and Subject Descriptors 

D.2.4 [Software/Program Verification]: Model Checking 

General Terms 

Theory; Verification 

Keywords 

Epistemic Logic; Model Checking; Parameterised MAS 

1. INTRODUCTION 

Verification and validation of systems before deployment 
is increasingly seen of fundamental importance not just in 
safety-critical applications, but also in more mainstream 
applications. Multi-Agent Systems (MAS) are no exception. 
The past ten years have witnessed considerable research 
in verification techniques aimed at assessing automatically 
whether or not a MAS meets its intended specifications. 

One of the leading techniques in this area is model check- 
ing [5]. In this setting the system under analysis S is encoded 
as a transition system Ms and a specification P is formalised 
as a logical formula <j>p\ the model checking procedure is 
responsible for establishing whether Ms \= 4>p, i-e., whether 
or not the system Ms satisfies the formula <j>p. In the MAS 
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domain specifications are often expressed as epistemic, de- 
ontic, and ATL formulas; the techniques put forward in the 
MAS community reflect this 15 13 17 . Explicit techniques 



are less efficient, but symbolic checkers such as MCK [13], 
mcmas [IT] and VerICS 15 are capable of handling state- 
spaces of the region of 10 15 and beyond. Unfortunately, 
MAS-based applications, due to the agents' complex and 
intentional nature, often generate much larger state spaces. 
To alleviate this problem, a number of techniques, including 
abstraction u\ have been put forward. While these have 
been successful in allowing users to tackle larger systems, it 
is still the case that, generally speaking, systems with many 
agents are difficult to verify. Clearly, this has a significant 
impact in open MAS populated by a multitude of agents 
competing or cooperating to reach an individual or a common 
goal. The aim of this paper is to contribute to overcome this 
shortcoming. 

To begin this investigation in a principled way, we work on 
a class of MAS composed of identical agents interacting with 
an environment. While this may seem a strong condition, 
we observe that is a relatively common assumption in many 
application areas of interest ranging from robotics, to arti- 
ficial life, swarm intelligence, services and in open systems 
in general. A natural question in these systems is whether 
certain properties hold irrespective of the number of agents 
present. For example, in a remote robotic scenario we may 
wish to check that any number of interacting robots will 
indeed establish a given objective. It is immediate to see 
that plain vanilla model checking cannot be of help here. To 
establish this property we would have to consider an infinite 
number of different systems each composed of a different 
number of agents and run model checking algorithms on each 
of these. Not withstanding the fact that we cannot check an 
infinite number of systems in finite time, this class of systems 
is mostly composed of systems for which model checking 
would require an unfeasible amount of memory and time. 

To solve this problem we develop a technique that enables 
us to derive the number of agents that is sufficient to consider 
to show that a property holds in the system for any number 
of agents. In line with literature in reactive systems [8] [14] , 
we call this bound the MAS cutoff. In sharp contrast with 
literature in reactive systems we here work with interleaved 
interpreted systems [16] and a temporal-epistemic language. 

The rest of the paper is organised as follows. In Section 2 
we define an interleaved semantics that will use throughout 
the paper, a logic that we call IACTL*K_x which combines 
the universal fragment of CTL* without "next" with a param- 
eterised version of epistemic logic, and establish a stuttering- 



equivalence simulation result. Section 3 presents the tech- 
nique to establish the cutoff and presents our main theoretical 
result of the paper thereby guaranteeing the soundness of 
the technique. To exemplify the theory we discuss a robotic 
example in Section 4. We discuss our implementation in 
Section 5 and present experimental results. We conclude in 
Section 6 also discussing related work. 

2. PARAMETERISED INTERLEAVED INTER- 
PRETED SYSTEMS 

In this section we introduce a framework for reasoning 
about parameterised multi-agent systems. In particular, we 
recall the semantics of interleaved interpreted systems 16 



and we introduce that of parameterised interleaved multi- 
agent systems. To reason about the temporal-epistemic 
behaviours of agents, we introduce the logic IACTL*K_x, a 
parameterised extension of ACTLl^ with indexed atomic 
propositions and indexed epistemic modalities. 

2.1 Interleaved Interpreted Systems 

The interpreted systems (IS) formalism [12] is a stan- 
dard semantics for MAS. Here we consider a special class 
of interpreted systems, called interleaved interpreted sys- 
tems (IIS) [16] , in which the agents evolve in parallel asyn- 
chronously (i.e., by means of interleaving semantics [5]). 
Differently from standard interpreted systems where actions 
may be performed by all the agents at the same round, IIS 
insist on only one local action at the time to be performed 
in the system. If, at any given round, more than one agent 
admits in its repertoire the action to be performed, then all 
agents sharing this action have to perform it at that round. 
Thus, the agents communicate by means of shared actions. 
The temporal evolution of an agent's local states is accom- 
modated to the needs of interleaving; while in standard IS 
the next local state depends on the actions performed by all 
agents in the system, in IIS local states depend only on the 
agent's own action. We summarise the framework of IIS, as 
presented in [16], to model interleaved MAS. 

We assume that a MAS is composed of n agents A = 
{1, . . . n}. Each agent i G A is characterised by a finite set 
of local states Li and a finite set of actions Acti. Each Acti 
contains a special action ti which we call the "silent" action; 
as the name suggests, whenever ei is performed, agent i's local 
state does not change. We call ACT = Uie.A Acti the union 
of all the sets Acti . Actions are performed in compliance with 
a protocol Pi : Li — > p(Acti) governing which actions can be 
performed in a given state. The silent action is enabled at 
every local state; formally, Vi G A : Vi* G Li : ei G Pi(h). For 
each action a, we call Agent(a) = {i G A | a G Acti} the set 
of agents potentially able to perform a. The evolution of the 
agent i's local states is described by the (transition) function 
ti : Li x Acti Li such that ti(li, ej) = /, for each U G Li. 
Note that ti is a function of agent i's local action only. 

A global state g = (h, ■ ■ ■ , l n ) £ L\ x • • • x L n is an n-tuple 
of local states for all the agents in the MAS and represents 
the state of the system at a particular instance of time. Given 
a global state g = (h, . . . , l n ), we write gi to denote the local 
component L of agent i G A in g. Given a set of agents 
J = -jji, C A, we write gj to denote the tuple of 

local components ,.. . ,lj,j<) of agents J in g. The local 
protocols and the local evolution functions determine how 
the system proceeds from one global state to the next. 
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Figure 1: An IIS of TGC comprised of two trains. 

Definition 2.1. (Interleaved Semantics) Let G be a 
set of global states. The global interleaved evolution func- 
tion t : G x Acti x • ■ • x Act n —¥ G is defined as follows: 
t(g, acti, • • • , act n ) = g iff there exists an action a G ACT 
such that for all i G Agent(a) we have that acti = a and 
ti(gi,a) = g'i; and for all i € A \ Agent(a), we have that 
acti — U and ti(gi, acti) = g[ = gi. In short, we write the 
above as g A g . 

We assume that the joint silent action is always enabled; 
thus, the global transition relation is serial. A sequence of 
global states and actions 7r = g 1 a 1 g 2 a 2 g 3 ... is said to be an 
interleaved path (or simply a path) originating at g if for 



every pair of successor states we have that g % 
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for 



every i > 1. We write to denote the i-th global state in 
7r. The set of all paths originating from g is denoted by H(g). 
The local path of agent i G A in 7r is the projection of 7r onto 
i; i.e., the sequence n l = g\a) g 2 a 2 g\ . . .. The projection of 7r 
onto a set of agents J is the sequence tv j = gja l g 2 a 2 gj . . .. 
We denote by ir[i] the suffix g t a t g z+1 ■ ■ • of 7T. A state g G G is 
said to be reachable from g 1 G G if there is a path g 1 a 1 g 2 ■ ■ ■ 
such that g — g % , for some i > 1. 



Definition 2.2. (Interleaved Interpreted Systems) Let 

AP be a set of atomic propositions. An interleaved inter- 
preted system (IIS), or a model, is a 4,-tuple M. = (G, i, II, V), 
where G is a set of global states, i G G is an initial global state 
such that each state in G is reachable from l, II = H(g) 

96G 

is the set of all interleaved paths originating from all states 
in G, and V : AP — > p(G) is a valuation function. 

Example 2.3. The IIS presented in Figure^is the un- 
timed version of the Train-Gate-Controller \2C^ . The system 
is composed of a controller and two trains. Each train runs 
along a circular track and both tracks pass through a narrow 
tunnel (state encoded by "T"). The tunnel allows only one 
train to pass through it (and get to state "A" (Away)) at any 
time. The controller operates the colour (states "G" (Green) 
and "R" (Red)) of the traffic lights, located at both sides of the 
tunnel, to let the trains enter and leave the tunnel. Initially, 
the trains are in state "W" (Waiting) and the controller is 
in state "G". In the figure the transitions with the same label 
are synchronised and the e actions are omitted. 

2.2 Template Agent and Parameterised Inter- 
leaved Systems 

Several protocols are designed for an unbounded number 
of identical participants. Cache coherence, mutual exclu- 
sion, and voting protocols are typical examples in which 
the number of participants (caches, processes, and voters 
respectively) is independent of the design process. A similar 



occurrence happens in MAS with multi-party negotiation 
protocols, auctions and in open systems in general. In the 
following we develop a formal model of a parameterised multi- 
agent system, composed of an arbitrary number of identical 
agents, that can be used in these circumstances. Given that 
the number of agents is a priori unknown, a parameterised 
system describes an infinite family of systems where an in- 
stance in the family, or concrete instantiation, is obtained by 
specifying the number of agents in the system. Formally, we 
introduce below parameterised interleaved interpreted sys- 
tems (PUS), an extension of interleaved interpreted systems, 
to model the aforementioned classes of systems. 

A PUS is composed of an arbitrary number of identical 
agents. We write T(n) to denote a PIIS, where n > 1 is the 
parameter specifying the number of agents, each constructed 
from a template agent T. The template agent is an inter- 
leaved agent encoded with a set of synchronous actions and 
a set of asynchronous actions. As it will be clear below, if 
the action performed in a global transition is a synchronous 
action, then all agents participate in the global action by 
performing the same (synchronous) action. However, if the 
action performed in a global transition is an asynchronous 
action, then exactly one agent participates in the global ac- 
tion. Therefore, all agents synchronise at any time step in 
which a synchronous action is performed. 

Definition 2.4. (Template Agent) Given a set of propo- 
sitions AP, a template agent is a tuple T = {L, t, Act, P,t,h), 
where L is a finite nonempty set of template states from 
which i G L is the unique initial template state, Act — 
Act s U Act A Lie is a finite set of template actions, where Act s 
is a set of synchronous actions, Act A is a set of asynchronous 
actions, and Act s n Act A n {e} = 0, P : L -y p(Act) is the 
protocol such that for all I G L, e G P{1), t : L X Act —y L 
is the (deterministic) template evolution function such that 
for all I G L, t(l, e) = I, and h : L —¥ p(AP) is a labeling 
function for the template states. 

Given a template agent T, T(n) denotes the parallel com- 
position of n concrete agentiQA = {1, ■ ■ ■ , n}. Each agent 
i G A is obtained by subscripting the states and actions 
of T as follows: L t = L x {«}, AcU = Act s U Actf U e,:, 
where Actf = Act A x {i}; synchronous template actions are 
not subscripted. For a concrete action a G Acti, we write 
tl(a) to refer to the corresponding template action; analo- 
gously, for a concrete state h G Li, we write tl(h) to refer 
to the corresponding template state I. The local protocol 
Pi : Li —y p(Acti) of the i-th agent is defined by a G Pi(h) 
iff tl(a) G P(l)- The evolution function ti : Li x Acti Li 
of the i-th agent is defined by ti(h, a) = l[ iff t(l, tl(a)) = I' . 
We associate with each i G A a local labeling function 
V, : Li -> p(AP x {i}) defined by Vl G V t {h) iff p G h(l). 

The global transitions we consider in PIIS are as in Defini- 
tion [271] A global transition from a global state g complies 
with the definition if either a synchronous action is enabled 
for all agents in g or an asynchronous action Oj G Acti 
is enabled for an agent i G A in g. Indeed, if a G Act s , 
then Agent(a) = A; if at G Actf, for some i £ A, then 
Agent(a) = {i}. Therefore, synchronous actions play the 
role of shared actions in IIS, only that synchronous actions 
are shared by all agents. We now define parameterised inter- 
leaved interpreted systems. 

1 When it is clear from the context, we write "agent" instead 
of "concrete agent". 



Definition 2.5. (Parameterised Interleaved Interpre- 
ted Systems ) Given a natural number n > 1 and a template 
agent T = {L, l, Act, P,t, h) , a parameterised interleaved 
interpreted system (PIIS), composed of n concrete agents, is 
a tuple T{n) = (G n , i n ,11" , V"), where G n = L x [n] is a set 
of global states, b n = (n, . . . , t n ) is an initial (global) state, 
n™= U 11(g) is the set of all interleaved paths originating 

from all states in G n , and V n : G n — > p(APxA) is a labeling 
function defined by pi G V n (g) iff Pi G Vi(g(i)). 

Given a template agent, the above definition denotes an 
infinite family of concrete systems. A member of the family, 
which we call an instance of the parameterised system, is 
obtained by fixing the value of the parameter n. 

2.3 The Specification Language IACTL* K x 

The analysis of an agent's behaviour in a MAS has been 
widely explored using combinations of linear and branching 
time logics with knowledge. These logics allow us to express 
how an agent's knowledge evolves over time. However, we 
cannot use propositional temporal-epistemic logics to reason 
about an unbounded number of agents. To see this, consider 
the parameterised variant of the Train-Gate-Controller and 
suppose that we want to express the property: "for every 
i £ A, whenever i is in the tunnel, then it knows that no 
other train is in the tunnel at the same time". This property 
encodes all distinct pairs of trains. Therefore, to express 
the property for a TGC composed of n trains we need to 
construct a (long) formula composed of 2!(") conjuncts. In 
general we would like to express properties that are inde- 
pendent of the number of agents in the system, as if we 
were able to quantify over agents. To overcome these short- 
comings we introduce the indexed temporal-epistemic logic 
IACTL*K_x- Indexed logics are commonly used in parame- 
terised systems [8]; therefore, an indexed temporal-epistemic 
logic is a natural choice for reasoning about parameterised 
MAS. 

IACTL*K_x adds indexed epistemic modalities to the 
universal fragment of CTL!_ X Bl (the logic CTL*, without 
the next-time operator, extended with indexed atomic propo- 
sitions). We consider a stuttering-insensitive logic (i.e., a 
logic insensitive to repeated occurrences of the same state, 
or equivalently a logic without the next-time operator [5]), 
since the next-time operator can be used to count the num- 

9] leading the parameterised 



ber of agents in the system [4J 
verification problem to undecidability [9l. 

Intuitively, any IACTL*K_x formula ip represents an 
ACTL*K_x formula for each concrete system T(n), n > c, 
where c is the number of unique indices contained in <p; the 
formula corresponding to T(n) is the conjunction of all for- 
mulae that can be constructed from if by instantiating the 
indices with every c-tuple of distinct agents in Tin). 

2.3.1 Syntax and semantics ofIACTL*K- X 

We assume a set VS of variable symbols which we use to 
index the atomic propositions and the epistemic modalities. 
There are two types of formulas in IACTL*K_x: (i) state 
formulas which are true at a state and (ii) path formulas 
which are true on a path. 

Definition 2.6. (Syntax of IACTL* K-x ) The state 
and path formulae of IACTL* K-x over a set AP of proposi- 



Hons and a set VS of variable symbols are inductively defined 
as follows: 

• SI. if p G AP and v G VS , then p v and -*p v are state 
formulas; 

• S2. if p> and ip are state formulas, then j)Ai/>, p>\/ ip 
and K v p (v G VS) are state formulas; 

• S3, if ip is a state formula which contains exactly 
J C VS variable symbols, then /\j p> is a state formula; 

• S4- if ip is a path formula, then A(ip) is a state formula; 

• PI. any state formula p is also a path formula; 

• P2. if p and ip are path formulas, then p Aip ctnd ip V tp 
are path formulas; 

• P3. if ip and ip are path formulas, then U (<p, ip) and 
R{p, ip) are path formulas. 

The /\j connective serves as a universal agent quantifier 
ranging over all | J|-tuples of pairwise distinct agents. Given 
a formula p>, a variable v G VS, occurring in p>, is said to 
be bound if it is in the scope of a /\j connective; otherwise, 
v is said to be free. A formula in which there are no free 
occurrences of variables is said to be a sentence. The logic 
IACTL*K_x consists of the set of all path sentences. For 
an IACTL*K_x formula p, we write p(J) to indicate that: 
(i) all variables in J C VS and only them occur free in 
tp, and (ii) p> does not contain any f\j connectives. The 
path quantifier A stands for "for all paths". The temporal 
operators U and R stand for "until" and "release" respectively; 
the formula U(p>, ip) is read as "(p holds continuously until 
ip holds", whereas the formula R(tp, ip) is read as u <p releases 
ip". The operator K denotes the epistemic modality; K v p 
is read as "each concrete agent i £ A knows p" (since we 
consider sentences only, v is always bound by a /\ 3 connective; 
therefore v ranges over all agents). 

Consider the TGC again; we can now easily express the 
properties previously stated with the IACTL*K_x formula 
A{d u } AG (inTunnel v — > K v ^inTunnel u ). 

The specifications we consider in this paper are of the form 
/\jp(J). Since these formulas range over all |J|-tuples of 
distinct agents, a standard model checking procedure would 
have to consider every instantiation of p>(J). However, a 
result we obtain is that model checking a formula /\j p>(J) G 
IACTL*K_x can be reduced to model checking a single in- 
stantiation of ip(J), thereby simplifying the complexity of 
the model checking procedure. Note that an instantiation of 
</j(J) is an ACTL*K_x formula, built as follows: 

Definition 2.7. ACTL* K-x formulae over a set AP of 
atomic propositions and a set A of agents are defined as in 
Definition \2.6\ but omitting (S3) and replacing (SI) and (S2) 
with: SI '. if p G AP and i G A, then pi and -^pi are state 
formulas; S2'. if <p and ip are state formulas, then pi A ip, 
tp V ip and Kip (i G A) are state formulas; 

For an ACTL*K_x formula p, we write p(J) (J C A) to 
indicate that for each subformula Kiip and each proposition 
Pj of p we have that i,j G J. We write ACTL*K^ X for the 
restriction of ACTL* K-x to all path formulae of the form 
p(J). We interpret IACTL*K_ X formulae over PUS. The 
temporal modalities are interpreted over the global transition 
relation and the epistemic modalities are interpreted over 
the equality of the local components of the global states. 



Definition 2.8. (Satisfaction) Let T(n) — {G, l,IL,V) 
be a parameterised interleaved interpreted system, let ty — 
g 1 , a 1 , g 2 , . . . be a path ofT(n), let g G G be a state of T{n), 
and let p be an IACTL* K-x formula. Satisfaction of p at g, 
denoted (T(n),g) |= p, or simply g \— p, and satisfaction of 
p on ty, denoted (T(n),Tv) |= p, or just ty \= p, is inductively 
defined as follows: 



SI. 


9 \~ Pi 


iff 


Pi G Vi(gi); 




9 \= ^Pi 


iff 


not g |= Pi, for pi G AP x A; 


S2. 


g \— p Aip 


iff 


g \= <p and g \= tp; 




g \= p\/ ip 


iff 


g = p or g \= ip; 




g \= Kip 


iff 


g' = p for every g' G G such 








that gi= g'p, 


S3. 


9 \= A./ <p(J) 


iff 


g (= p(C) for every C € {I \ I C 








A and |/| = |J|}; 


S4. 


9 h A V 


iff 


ty \= p for every path ty such that 








7r(l)= 5 ; 


PI. 


TY^p 


iff 


ty(1) ^= p> for any state formula 


P2 


TY \= p A Ip 


iff 


¥>; 

ty \= p and ty \— ip; 




w \= ip V tp 


iff 


ty \— p or ty \= ip; 


P3 


7T |= U(p,1p) 


iff 


there is an i > 1 such that ty[i\ |= 








ip and n[j] |= p for all 1 < j < i; 




ty j= -R(yj, ip) 


iff 


for every i, if ir\j] ¥ tp, for all 








1 < j < i, then n[i] \— ip. 



We use the following abbreviations: T = p v V -^p v , -L = 

def 

p v A -ip„, for some p G AP and v G VS, Fp = U(T, p) 

def 

("Eventually p"), Gp = R(L,p) ("Always p"). A formula p 
is said to be true in T(n), denoted T(n) |= p, iff (T{n), i) \= 
p. Given a PUS Tin) = {G, l, IT, V) be a parameterised 
interleaved interpreted system and p be an IACTL*K_x 
formula, the model checking problem concerns establishing 
whether (7"(n),t) |= p. 

2.3.2 Symmetry reduction to ACTL*K- X 

Symmetry reduction techniques have been used to reduce 
the complexity of model checking temporal-epistemic proper- 
ties of multi-agent systems [6j. Since a PUS is composed of 
identical agents, intuitively, there is an inherent symmetry 
in the system that we can exploit. Indeed, we adapt a sim- 
ilar result for reactive systems from [11] and we show that 
an IACTL*K_jf formula /\jp(J) is equivalent to a single 
instantiation p({l, ■ ■ ■ , \ J\}) of p{J). 

Lemma 2.9. T(n) \= Ajf(J) iffT(n) \= p({l, \J\}). 

PROOF. (Sketch) (=>-) Obvious. (<=) Suppose that Tin) |= 
<p({l, • • • , k}) and let J' = {ji, ■ ■ ■ ,jk} be an arbitrary set 
of k agents. Let £ : A — > A be a bijective mapping (permuta- 
tion) such that Vi G {1, ■ • ■ , k} : 7r(i) = ji. Given an object 
o (either a state or a formula), let £(o) denote the object o' 
obtained by replacing each occurrence of any i G A with £(i). 

As g A g is iff £(g) ^ C(g'), and g t = g[ is iff (C(ff))c(i) = 

(C(flO)c(i). we S et that (T(n),C(0) 1= C(<^({1,--- ,k}), and 
therefore (T(n), ("((.)) j= p>(J'). As ^"(t) = t, we get that 
(T(n), l) |= ip(J), therefore T(n) [= Aj <fiJ). □ 

Given a system instance Tic), model checking a formula 
/\j p>iJ) is equivalent (by the semantics of IACTL*K_x) to 
model checking an ACTL*K_x formula of c! (| j|) conjuncts 
of the form cp(C), where C G {/ | / C {1, ■ ■ ■ , c} and |/| = 



J|}. The above lemma heavily reduces the complexity of 
model checking IACTL*K_x formulae by reducing the c!(| ^.J 
conjuncts to one. For example, model checking the formula 
f\r v u j AG (inTunnelv — > K v ^inTunnel u ) can be reduced 
to model checking the simpler formula AG(inTunnel\ — > 
Ki^inTunneh) ■ 

2.3.3 Invariance of ACTL*K- X 

As noted above, the idea of cutoff techniques in reactive 
systems is to find a system instance, called the cutoff in- 
stance, which can be used to show that a property holds for 
all instances. A notion of equivalence between the system 
instances can be of help here. Stuttering-insensitive logics 
are accompanied with the standard notion of stuttering sim- 
ulation [18]. A system stuttering simulates another system if 
for every behaviour of the latter, there is a stuttering equiva- 
lent behaviour of the former. Informally, two behaviours are 
stuttering equivalent if the behaviours coincide when each 
sequence of stutter steps (i.e., steps that do not affect the 
labeling of the states) are collapsed to one step. Since we 
consider only universal path quantification, it follows that 
any ACTL*_x formula satisfied by the simulating model is 
also satisfied by the simulated model. Below we extend the 
notion of stuttering equivalence to ACTL*K_x- Since our 
specifications are of the form <p(J), referring only to agents 
J C A, we project the valuation function onto J. This projec- 
tion, denoted V\j, is defined by V\ j(g) = V(g) fl {pt \ i G J}, 
for every state g G G. 

Definition 2.10. (J -Stuttering simulation) 

A relation ~,/ S3 C G x G' is a J -stuttering simulation be- 
tween two models M = (G, t, n, V) and M' = <G", t', IT', V') 
if the following conditions hold: 



2. if g 



then 



~ji for some g' 1 



(a) if g z = g}, for i G J, then g[ 
such that g 1 ~j S s g n ; 

(b) V\j(g) = V\j(g') and for every path n of M. that 
starts at g, there is a path tt' of M' that starts 
at g' , a partition B\, B2 ■ ■ ■ of tt, and a partition 
B'x, B2, . . . of n' such that for each j > 1 , Bj and 
B'j are nonempty and finite, and every state in Bj 
is related by ~,/ sa to every state in B'j. 

A model A4' J-stuttering simulates a model M, denoted 
M <jss M' , if there is a J-stuttering simulation between 
M and M' . Two models M. and M' are called J-stuttering 
simulation equivalent if M <j S s M' and M' <j ss M. Any 
ACTL'K'Lx formula is preserved under J-stuttering simula- 
tion equivalence. 

Theorem 2.11. Let M and M' be two J-stuttering simu- 
lation equivalent models. Then, \= <p iff (M' ,1') \= ip, 
for any ACTL* K J _ X formula ip. 

Proof. Stuttering simulation equivalence is known to 
preserve ACTLl^ formulae 
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Since atomic propositions 
in ACTLI"^ formulae refer only to agents J C A, J-stuttering 
simulation equivalence preserves ACTLI"^ formulae. Using 
induction on the structure of ip it is easy to show that J- 
stuttering simulation equivalence also preserves ACTI/K^ 
formulae. □ 



It follows that if we are able to show that the cutoff in- 
stance T(c) is J-stuttering equivalent to an arbitrary system 
instance T(n), then we can use T(c) to check whether a for- 
mula /\j <fi(J) G IACTL*K_x holds for an arbitrary number 
of agents. 

3. MODEL CHECKING PARAMETERISED 
INTERLEAVED INTERPRETED SYSTEMS 

We now present a technique for model checking param- 
eterised interleaved interpreted systems. In particular, we 
propose an efficient and automated methodology for answer- 
ing the following verification query: 

Vn > I J| : T(n) |= V, where ip = f\ ip{J) G IACTL*K_x 

.7 

In other words, we want to be able to check that for any 
number n > | J| of agents in the system, and for any | J|-tuple 
C of distinct agents, the property ip(C) holds. Note that the 
number of systems we would like to verify is unbounded and 
so is, in principle, the state space of the systems themselves. 
Therefore, traditional techniques to handle the state explo- 
sion problem cannot be of help here, and therefore we need 
to use a different approach to reduce the state space. The key 
observation is that in certain circumstances it is sufficient to 
analyse only a finite number of systems to deduce properties 
about any larger system. Inspired by the work on cutoffs in 
the context of reactive systems [8][To][T4], we say that a MAS 
cutoff c is a value of the system parameter for which the 
system instance T(c) exhibits all the behaviour admitted by 
any system instance T(n), n > c, with respect to a certain 
specification ip being considered. 

Definition 3.1. (MAS Cutoff) LetT{n) be a parame- 
terised interleaved interpreted system and let ip G IACTL* K-x 
be of the form /\j (p(J). A natural number c > | J| is said to 
be a MAS cutoff for ip if T(c) \= ip <^ Vn > c : T(n) |= ip. 

It follows that if a cutoff can be identified, then model 
checking an infinite family of systems can be reduced to 
model checking all system instances up to the cutoff. In 
reactive systems the cutoff usually depends on the system at 
hand and identification methodologies are typically accom- 
panied by the following shortcomings: (i) either the cut-off 
is not guaranteed to be the smallest [8] [To] , or (ii) the cut-off 
is not guaranteed to exist leading to incomplete methodolo- 
gies [12]. By contrast, we here present a sound and complete 
methodology for identifying the smallest cutoff in model 
checking PUS. Indeed, the following lemma shows that the 
smallest cutoff for an ACTL*K^ "' fc ' formula <p is precisely 
k, the total number of agents appearing in the epistemic 
modalities and the propositions. Following this lemma, we 
use Lemma |2.9| to show that the cutoff for IACTL*K_x 
formulae of the form /\ j <p(J) is | J|. 



,fc}) is an ACTL* l& x -' h} for- 



Lemma 3.2. // <p({l, . . 
mula, then 7~{n) \— <p({l, 
for all n > k. 

Proof. Choose an arbitrary n > k. Let [n] = {I, . . . , n} 
and [k + 1, n] = [n] \ [k]. We show that T(n) <[*,]„,, T(fe) and 
T(k) <[fc] S s T(n). The lemma then follows. 

(=> (T(n) < [fe]ss T(k))) Define a relation ~[ fc ] ss = {{g,g') G 
G" x G k I g[ k ] = g'}. We show that ~[fe] ss is a [A:] -stuttering 



J [fc] ss g ■ Suppose 
= gh.^ . We have that 
g 1 a 1 g 2 a 2 g 3 g 1 = 



simulation between T(n) and T(k). Let 
that gt = g\ for some i G [k] and let g' 1 

g'i = g'i and g 1 ~ [fc]ss g' 1 . Now let vr 
<?, be a path of T(n) originating from We construct a path 
p of T(k) originating from g' as required by [fc]-stuttering 
simulation. Let p = g\k] a>1 g\k] a ' 2 9[k} ■ ■ •> where a'-* = a J if 
a J G Uigrfc] Acti and a' J = e otherwise, be the sequence 
obtained by the projection of n onto [k]. By assumption on 
the joint silent action, p is a valid path of T(k). We define 
a partition Bi, B2, . . . of ir and a partition B[,B' 2 , . . . of p 
such that \Bj\ = = 1 for each j > 1. It follows that 
~[fe] ss for each j > 1. Therefore, T(n) <[ fe ] ss T(fc)- 
(<= (T(k) <[k] ss 7~(n))) The idea is to allow every agent 
i £ [k + l,n] in T(n) to mimic agent 1 (in T(n)). For this 
purpose, define a relation ~[fc] sa by 

{{g,g) eG k xG n \g = g' [k] A 3a* g : Vi € [* + l,n] : 

K* £ P<(sOA«(*i(fl^Oi)) = «(flO) Vt/(flO =tl(g' 1 )} 

If ff ~[k] ss <?', then each agent i G [fe + 1, n] in g' is ei- 
ther at the same local state with agent 1 in i/ or agent i 
is able to change its state to the state of agent 1 by per- 
forming the asynchronous action a*. We show that ~[fc] ss 
is a [k] -stuttering simulation between T(k) and T(n). Let 
g ~[t] S s g' ■ Simulation requirement 2(a) follows by a similar 
argument used in the left to right direction of the lemma. 
For simulation requirement 2(b), note that since the global 
evolution function is deterministic, a path g 1 a 1 g 2 a 2 • • • is 
uniquely defined by the sequence g 1 a 1 a 2 ■ ■ •. We inductively 
define a function / which maps a path p = g 1 a 1 g 2 a 2 g 3 ■ ■ ■, 
g 1 — g, in T(k) into a path in T(n). 

• f{g 1 a 1 9 2 a 2 g 3 ■ ■ ■ ) = g'a* 1 ...a* d f(a 1 g 2 a 2 g 3 ), where 
{./:•••./,! !" [k + l,n] | tl(gl) J= tl(g[)}; 

. f(a 1 g 2 a 2 g 3 ■■■) = a}f{a 2 g 3 ■ ■ ■ ), if a 1 $ Act?; 

. f(a 1 g 2 a 2 g 3 • • •) = a^a^k+i ■ ■ ■ tl{a 1 ) n f(a 2 g 3 ■ ■ ■ ), if 
a 1 6 Acif ; 

We partition 7r into singleton blocks Bi,B-2, - ■ ■ an d we 
partition /(tt) = g a 1 • • • into the sequence Bj, B' 2 , ■ • ■, where 
Bi = g\ if a^ 1 G {J ze[2M Act z , and ^ = g j ---g j+d , if 

a^" 1 , • • • G U, e{ i}'u[*+i,n] and a3+d e U ze[fc] ^ z 

It follows that Bj ~[fc] ss Bj, therefore, T(k) <[k]ss T{n). □ 



A consequence of the above lemma is the following: 

Theorem 3.3. Let ip be an IACTL* K-x formula of the 
form /\jtp(J). Then, Vn > \ J\ : T(n) (= V «#T(|J|) |= ip. 

Proof. By exploiting symmetry ( Le mm a |2.9| l, it suffices 
to prove the result for y([|J|]) (Lemma 3.2 1. □ 



The above theorem is our main theoretical result. It fol- 
lows that to verify a formula f\ 7 <p(J) on all system instances, 
it suffices to verify the formula y([J]) for the system instance 
T(\J\). Since in the MAS literature most properties are 
expressed by using one or two epistemic and propositional 
indices, this dramatically improves our verification abilities. 
Furthermore we can combine this technique with others avail- 
able in the literature. Indeed, upon obtaining the inst ance 
T(|J|) we can further apply partial order reductions [16] , 
abstraction [7], data symmetry reduction [6], etc., to further 
reduce the state space of the model. 



COROLLARY 3.4. Model checking parameterised interleaved 
interpreted systems against IACTL* K formulae of the form 
/\jtp{J) is decidable. 

Proof. By Theorem |3.3[ it suffices to model check the 
system instance of \ J\ agents against ip([\ J\]). □ 

The above is in line with literature in reactive systems [3j 
HI |10] [£] i where although it has been shown that verification 
of parameterised systems is, in general, undecidable [5], posi- 
tive results have been obtained by imposing restrictions on 
the systems and the properties, thereby obtaining decidable 
subclasses. 

4. AN EXAMPLE: AUTONOMOUS ROBOT 

For illustration purposes we exemplify the theory presented 
above on a modified version of the autonomous robot example 
from 12 . In this example a robot runs along an endless 
straight track where its position is specified over discrete 
locations numbered 0, 1,2, The robot can move only 
forward along the track starting at position 0. A faulty 
sensor is attached to the robot measuring its position; a 
sensor reading at location q can be any of the values in 
R q = {q— 1, q, q+1}. The movement of the robot is controlled 
by the environment. The only action the robot can perform is 
to halt; if the robot does not halt, the environment may move 
the robot one position forward at each time step; once the 
robot halts, the environment can no longer move it. The goal 
of the robot is to never exit the goal region GR = {2, 3, 4} 
upon entering into it and to never halt in the restricted 
region RR — {0, 1} . A sound and complete solution to the 
autonomous robot problem [l2] is for the robot to do nothing 
while the value of its sensor is less than 3, and to halt once 
the value of its sensor is greater than or equal to 3. We 
generalise this problem in a parameterised setting. 

We assume an arbitrary number of robots each running 
along its own track and each equipped with its own faulty 
sensor. The environment may move all non-halted robots 
one position forward at each time step. We represent this 
scenario by means of PUS. We arbitrarily choose eight 
distinct locations; note that the number of locations does not 
affect the scenario as long as it is greater than four. Since we 
use interleaving semantics, we assume that the environment 
moves each robot in sequence, however, we insist on the 
environment to move all robots before moving a robot twice. 

We proceed to define the template agent T. A template 
state is a 4-tuple I = (p,s,h,m), where p and s represent 
the position of the robot and the value of its sensor respec- 
tively, h represents whether or not the robot has halted, 
and m is a binary variable representing whether or not 
the environment has moved the robot in an interleaving 
sequence (a sequence in which the environment moves all 
non-halted robots from position q to q + 1). Therefore, 
L = {(p, s, h, m) I < p, s < 7 and h,m G {T, _L}} is the set 
of template states from which we define 1 = (0, 0, _L, _L) as 
the initial template state. A robot can either do nothing 
or halt; the set Act A of asynchronous template actions is 
Act A = {null,null + , null~ , halt}; the null actions repre- 
sent the environment moving the robot a position forward 
and either providing a correct sensor reading (null) or not 
(null + , null~ ) . A robot can move to position q + 1 only if 
all non-halted robots have moved to position q; the unique 
synchronous template action n_s (next step) synchronises all 
robots before the environment can move a robot. As it will 



be clear below, when a null action is performed at position 
q, then m is set to T and the protocol selects the action n_s 
thereby disallowing a robot to move at position q + 1 before 
all robots have moved to position q. 

The template protocol P selects one of the null actions 
at position q when m = _L and the sensor reading is less 
than 3. The synchronous action n_s is the only allowed 
action when m = T. Whenever the sensor reading is 
greater than 2, the halting condition is satisfied, therefore, 
the protocol selects the halt action: P((p < 7, s < 3, h — 
_L,m = _L)) = {null,null + ,null~}; P((p = *, s = *,h = 
*,m = T)) = {n_s}; P((p = *, s > 3, ft = _L, m = _L)) = 
{/ia/f;}, where * expresses any value. The template evolution 

function contains the following transitions: (p, s, _L, _L) ™^>' 

(p + l.p+l.X.T); (p,a,-L,X) (p + l,p + 2, X, T); 

(p,s,X,X) n ^> (p+l,p-l,X,T); (p,s,X,T) ^ s (p,s,X,X) 

and (p,s,X,X) h 4' (p,s, T,T). 

We introduce the following atomic propositions: AP — 
{/i(halted), (/(goal region), r(restricted region)}. The inter- 
pretation of these propositions is given by the following 
valuation function: V(h) = {I G L | Z 3 = T}, V(g) = {I £ 
L | 2 < h < 4}, and V(r) = {/ G L | < h < 1}. 

We verify that the halting condition is sound and complete 
in the parameterised variant of the autonomous robot by 
model checking the formulae pari = A{i} AG(gi — > J 4G(gi)) 
and pari = A{i} ^4G(ri — s> -<hi). The specification (,9.4m 
expresses "for every robot i, if i is within the goal region, 
then i never exits the goal region". The formula pari states 
that "for every robot i, if i is within the restricted region, 
then i has not halted". Note that the combined state space 
for the systems to be checked is unbounded. Observe also 
that model checking the above specifications is equivalent 
to model checking the formulae AG{g\ —¥ AG(gi)) A ■ • ■ A 
AG(g n -¥ AG(g n )) and AG(r! -> -ifti)A- ■ -AAG{r n -> ^h n ), 
on each system instance T(n), n > 1. This is clearly not 
possible to check via standard model checking techniques. 
However, by using Lemmas |2.9| and |3.2| we can deduce that 
the MAS cutoff is equal to 1 and reduce the problem to 
checking the formulas AG(gi — ¥ AG(gi)) and AG(r\ — > -^h\) 
on the system instance T(l). Clearly the latter is a simple 
problem and, indeed, we can easily check the specification is 
verified, thereby deducing that the parameterised query is 
also satisfied. 

To proceed in our analysis further, we can also verify 
that if a robot halts, then it knows that every other robot's 
position is within the goal region, as expressed by the formula 
VAi?3 = A{i j} AG(hi —} Kigj). Also we could check that a 
robot knows that every other robot halted at the same time: 
Para = A{i j} AG(hi — s> Kihj). Similarly to what above, the 
formulae pars and para can be reduced through Lemma [2. 9| 
to pars, = AG{hx -s> A"i#2) and p'ara = AG(hi -s- Kih 2 ), 
which can be verified on the system instance T(2) obtained 
by using a cutoff equal to 2 through Lemma |3.2| Also in 
this case we can check the result on the much smaller model 
and verify that the formula p'ar3 holds while p'ara does 
not (since the sensor readings may differ). So we infer that 
Pari, holds on the unbounded system while par4 does not. 

5. EVALUATION 

Implementation. We have implemented the presented 
methodology as an extension to the open-source model checker 



Model Instantiations Time (s) Memory (KiB) 

Robots States 

2 201 2 9010 

30 1.260 92 X 10 27 870 IS 44744 

60 3.594 02 X 10 57 3540 868 63894032 

90 TIMEOUT 8010 TIMEOUT TIMEOUT 



Table 1: mcmas verification results for pars- 

mcmas [IT] . The extended model checker, currently named 
mcmas-p, is available from 11] . ISPL, the input language of 
mcmas, was suitably extended to allow for the definition of 
PIIS and to support the specification of indexed formulae. 
The description of a PIIS in this language (called PISPL) in- 
cludes the declaration of a template agent. This declaration 
differs from agent declarations in ISPL by having sections of 
asynchronous and synchronous actions, and an initial state 
section. We refer to u\ for the PISPL description of the 
autonomous robot example. The specifications supported by 
mcmas-p are expressed in indexed ACTLK_x- 

Given a PIIS and a formula to be verified, mcmas-p de- 
termines the cutoff c for the system as in Theorem |3.3| by 
counting the number of unique indices used in the specifi- 
cation to be tested. A concrete system of c agents, each an 
indexed copy of the template agent, is then automatically 
constructed and represented symbolically. The specifications 
are automatically reduced to formulae in ACTLK_jf , as de- 
scribed in Lemma [2. 9| The OBDD-based algorithms utilised 
by mcmas are then used to verify the system against the 
reduced ACTLK_x formulae. We also note that the BDD 
encoding of the joint protocol is different from that of mcmas 
to enforce the interleaving semantics used here. 

Experimental Results. In order to evaluate the method- 
ology presented, we illustrate the unfeasibility of running 
model checking algorithms on each concrete system instance. 
We considered the parameterised autonomous robot scenario 
against the specification pars which we verified on an Intel 
Core i7 processor clocked at 2.20 GHz, with 6144 KiB cache, 
and running 64-bit Fedora 17, kernel 3.3.4. The results are 
reported in Table [l] The Robots and States columns respec- 
tively show the system instance (number of robots) and its 
state space; the Instantiations column shows the number of 
the possible instantiations of pars ? each to be verified by 
the model checker; the Time and Memory columns show 
the CPU time and memory usage respectively. These re- 
sults show that, as expected, the state space and the length 
of the formulae to be verified grow exponentially with the 
number of agents in the system. As a consequence of this, 
verification quickly becomes unfeasible under the time and 
memory constraints. This is exemplified for the system of 
90 robots, where mcmas did not finish within the timeout 
of one hour. In addition to this, of course, the plain model 
checking approach cannot ever ensure the property holds on 
a system of arbitrary many agents. In comparison mcmas-p 
constructed and verified a system of 2 robots in under 0.1 sec- 
onds thereby showing the property holds for an unbounded 
number of agents. 

6. CONCLUSIONS AND RELATED WORK 

In this paper we have developed a technique to verify that 
a temporal-epistemic property holds in a MAS irrespectively 
of the number of agents present in the system. The problem 
is undecidable in general but we have defined a suitable 
semantics (that of PIIS) for which we gave a sound and 



complete procedure for determining a cutoff for a system. 
To do so we have denned a suitable parameterised logic and 
developed stuttering-equivalence simulation results for it on 
PUS. We find the result significant as it opens the way for 
the verification of a large number of protocols previously 
verified only for individual instances containing a limited 
number of agents. Open systems with an unbounded number 
of homogeneous participants, e.g., including negotiations and 
auctions, seem particularly suitable for this analysis. 

Related Work. Existing literature on parameterised ver- 
ification [3] |19| |21[ |10| [8] 1 14] is limited to reactive systems 
and plain temporal logics. Moreover, mainstream method- 
ologies [10| [8] [I!] do not guarantee soundness, completeness 
and the identification of the smallest cutoff at the same time. 
In [14] a cutoff is identified by enumerating the system in- 
stances and finding the smallest instance able to simulate 
a "special" structure which includes the behaviour of every 
instance. Although the technique is widely applicable and 
independent of the communication topology, a cutoff is not 
guaranteed to exist. Results closer to those in this paper 
are the sound and complete techniques put forward in |10| 
[8]. Similarly to this contribution, [10| [8] present stuttering- 
simulation results between the cutoff model and every system 
instance thereby ensuring soundness and completeness; how- 
ever, the results in [10] are applicable to ring topologies only 
and the technique in [8] does not identify the smallest cutoff. 

In addition to cutoffs, abstraction techniques have of course 
been used in parameterised verification. In [19] concrete 
states are counter abstracted; an abstract state is a tuple of 
counters, one for each local state, denoting the number of 
system participants in the state. This process can be auto- 
mated, but it is only applicable to a narrow class of systems 
and it is restricted to liveness properties. Environmental 
abstraction [3] extends counter abstraction by counting the 
number of participants that satisfy a given predicate and, 
although achieving wider applicability, the methodology has 
not been automated yet. In [51] a network invariant is iden- 
tified which exhibits the behaviour of all system instances; if 
the invariant satisfies a property, then the property is satis- 
fied by all system instances. A network invariant, however, 
is not guaranteed to exist, and, even when it does, its identi- 
fication is not automated. In addition, none of these works 
tackle epistemic logic, nor MAS semantics, as we do here. 

Future Work. A current limitation of the PIIS formal- 
ism is that agents cannot evolve differently depending on 
the environment's action. This limits the application of the 
technique to particular systems such different network topolo- 
gies. In future work we plan to alleviate this limitation as 
well as apply the methodology here presented to protocols 
of practical interests. 
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